Do Son 
Functions of seven DKnife components | Image: Cisco Talos
A powerful new cyber weapon has been discovered lurking in routers and edge devices, capable of monitoring traffic, hijacking downloads, and deploying backdoors with surgical precision. In a new investigation, Cisco Talos has exposed “DKnife,” a sophisticated adversary-in-the-middle (AitM) framework that has been active since 2019 and remains a threat today.
Linked to China-nexus threat actors, DKnife is not a simple virus; it is a full-featured surveillance suite. The framework turns compromised network gateways into checkpoints, allowing attackers to inspect every packet and manipulate data before it even reaches the victim’s device.
DKnife is composed of seven distinct Linux-based implants, each playing a specific role in the attack chain. One component, yitiji.bin (derived from the Chinese term “δΈδ½ζΊ” meaning “all-in-one”), creates a bridged network interface to secretly route attacker traffic.
The framework’s capabilities are vast. It performs “deep-packet inspection, manipulate[s] traffic, and deliver[s] malware via routers and edge devices”. This allows it to:
- Hijack Android Updates: By intercepting update manifests, DKnife replaces legitimate app updates with malicious APKs.
- Spoof Downloads: It detects when a user tries to download a Windows binary (like an .exe file) and swaps it for a malicious installer on the fly.
- Disrupt Security Tools: The framework actively identifies and blocks traffic from antivirus products like 360 Total Security and Tencent PC Manager, blinding defenders.
The campaign appears to be highly targeted. “DKnife primarily targets Chinese-speaking users,” the report states, pointing to specific modules designed to harvest credentials for Chinese mail services and exfiltrate data from popular apps like WeChat and QQ.
The code itself is riddled with clues. Comments written in Simplified Chinese were found throughout the configuration files, and the malware includes specific logic to track “internet actions” on Chinese platforms . For example, one intercepted message translates to “Using Signal encryption chat APP”, indicating the group is monitoring even encrypted communication channels for usage metadata.
DKnife does not work alone. It serves as a delivery mechanism for two notorious backdoors: ShadowPad and DarkNimbus.
“It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates,” the report explains.
When a victim installs a hijacked Windows program, they unknowingly unleash a chain reaction. A legitimate loader (often a signed file) side-loads the ShadowPad DLL, which then loads DarkNimbus. DKnife then ensures these backdoors can “phone home” by intercepting their DNS requestsβoften directed at 1.1.1.1βand rerouting them to the real command-and-control (C2) server.
The discovery of DKnife highlights a critical blind spot in modern security: the router. “Routers and edge devices remain prime targets in sophisticated targeted attack campaigns,” Talos warns.
Related Posts:
- Updated ShadowPad Malware Facilitates Ransomware Deployment in Global Attacks
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- Hidden Theft: ‘Crypto Copilot’ Chrome Extension Drains Solana Wallets on X
- FCC Takes Aim at SIM Swapping Fraud, Protecting Consumers from Billions in Losses
- Critical WSUS RCE (CVE-2025-59287) Actively Exploited to Deploy ShadowPad Backdoor
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
